Security

Security is a foundational constraint at Altacee, not an afterthought. This page summarises our certifications, technical controls, and operational practices. For audit evidence or detailed questionnaire responses, visit the Trust Center.

Compliance certifications

SOC 2 Type II
Annual audit covering Security, Availability, and Confidentiality trust service criteria. Report available to customers under NDA.
Achieved
ISO 27001
Information security management system certification. Certificate available on request.
Achieved
ISO 27701
Privacy information management extension to ISO 27001.
In progress
GDPR / UK GDPR
DPA v3 with SCCs available. See DPA page.
Achieved
HIPAA BAA
Business Associate Agreements available for eligible enterprise plans. Contact sales to request.
Achieved

Encryption

In transit
All traffic between clients and Altacee endpoints is encrypted with TLS 1.3. TLS 1.0 and 1.1 are disabled. HSTS with a one-year max-age is enforced on all public domains.
At rest
All customer data stored on disk is encrypted with AES-256. Database encryption is enforced at the storage layer; backups are also encrypted before leaving the primary region.
Key management
Encryption keys are managed via a dedicated Key Management Service (KMS). Bring Your Own Key (BYOK) is available on Enterprise plans, allowing customers to control and rotate their own master keys.

Access control

Role-based access (RBAC)
All internal systems enforce RBAC. Engineers have the minimum access required to perform their role. Production database access requires just-in-time (JIT) provisioning with a one-hour TTL and mandatory audit logging.
Multi-factor authentication
MFA is mandatory for all Altacee employees on every internal system. Customer accounts support TOTP and WebAuthn passkeys; enterprise SSO (SAML 2.0, OIDC) is available on Business and Enterprise plans.
Customer data isolation
Tenant data is logically isolated at the application layer and, on Enterprise plans, physically isolated in dedicated infrastructure. Row-level security policies are enforced on all shared database instances.

Incident response

24/7 on-call operations
Alerts are routed through PagerDuty to an on-call engineer around the clock. P1 incidents trigger a war-room within 15 minutes of detection.
Customer notification SLA
For incidents affecting customer data, we notify affected customers within 72 hours of confirmed detection, consistent with GDPR Art. 33 / 34 obligations. Status updates are published at status.altacee.com.
Post-incident reviews
Every P1 and P2 incident results in a blameless post-mortem within five business days. Findings drive improvements to monitoring, runbooks, and architecture.

Vulnerability management

Penetration testing
Annual third-party penetration tests cover the application layer, network perimeter, and cloud configuration. Summaries are available to enterprise customers under NDA.
Dependency scanning
All production dependencies are scanned for known CVEs on every build. Critical and high-severity findings are remediated within 7 days.
Vulnerability disclosure
If you discover a security issue, please report it responsibly to [email protected]. We aim to acknowledge all reports within 2 business days and provide a resolution timeline within 5 business days. A bug bounty programme is forthcoming.

Physical and operational security

Cloud-native infrastructure
Altacee does not operate physical data centres. All infrastructure runs on AWS, which maintains ISO 27001, SOC 1/2/3, and PCI-DSS certifications for its facilities and controls.
Employee screening
All employees with access to production systems undergo background checks prior to hire and complete annual security awareness training.
Endpoint security
Company devices use full-disk encryption, mobile device management (MDM), and endpoint detection and response (EDR) software. Personal devices are not permitted to access production systems.

Request an evidence bundle

Enterprise customers can request our full security evidence bundle (SOC 2 report, ISO 27001 certificate, penetration test summary, completed security questionnaires) via the Trust Center request form or by emailing [email protected].

Compliance certifications

SOC 2 Type II

Annual audit covering Security, Availability, and Confidentiality trust service criteria. Report available to customers under NDA.

Achieved

ISO 27001

Information security management system certification. Certificate available on request.

Achieved

ISO 27701

Privacy information management extension to ISO 27001.

In progress

GDPR / UK GDPR

DPA v3 with SCCs available. See DPA page.

Achieved

HIPAA BAA

Business Associate Agreements available for eligible enterprise plans. Contact sales to request.

Achieved

Encryption

In transit

All traffic between clients and Altacee endpoints is encrypted with TLS 1.3. TLS 1.0 and 1.1 are disabled. HSTS with a one-year max-age is enforced on all public domains.

At rest

All customer data stored on disk is encrypted with AES-256. Database encryption is enforced at the storage layer; backups are also encrypted before leaving the primary region.

Key management

Encryption keys are managed via a dedicated Key Management Service (KMS). Bring Your Own Key (BYOK) is available on Enterprise plans, allowing customers to control and rotate their own master keys.

Access control

Role-based access (RBAC)

All internal systems enforce RBAC. Engineers have the minimum access required to perform their role. Production database access requires just-in-time (JIT) provisioning with a one-hour TTL and mandatory audit logging.

Multi-factor authentication

MFA is mandatory for all Altacee employees on every internal system. Customer accounts support TOTP and WebAuthn passkeys; enterprise SSO (SAML 2.0, OIDC) is available on Business and Enterprise plans.

Customer data isolation

Tenant data is logically isolated at the application layer and, on Enterprise plans, physically isolated in dedicated infrastructure. Row-level security policies are enforced on all shared database instances.

Incident response

24/7 on-call operations

Alerts are routed through PagerDuty to an on-call engineer around the clock. P1 incidents trigger a war-room within 15 minutes of detection.

Customer notification SLA

For incidents affecting customer data, we notify affected customers within 72 hours of confirmed detection, consistent with GDPR Art. 33 / 34 obligations. Status updates are published at status.altacee.com.

Post-incident reviews

Every P1 and P2 incident results in a blameless post-mortem within five business days. Findings drive improvements to monitoring, runbooks, and architecture.

Vulnerability management

Penetration testing

Annual third-party penetration tests cover the application layer, network perimeter, and cloud configuration. Summaries are available to enterprise customers under NDA.

Dependency scanning

All production dependencies are scanned for known CVEs on every build. Critical and high-severity findings are remediated within 7 days.

Vulnerability disclosure

If you discover a security issue, please report it responsibly to [email protected]. We aim to acknowledge all reports within 2 business days and provide a resolution timeline within 5 business days. A bug bounty programme is forthcoming.

Physical and operational security

Cloud-native infrastructure

Altacee does not operate physical data centres. All infrastructure runs on AWS, which maintains ISO 27001, SOC 1/2/3, and PCI-DSS certifications for its facilities and controls.

Employee screening

All employees with access to production systems undergo background checks prior to hire and complete annual security awareness training.

Endpoint security

Company devices use full-disk encryption, mobile device management (MDM), and endpoint detection and response (EDR) software. Personal devices are not permitted to access production systems.